Secure messaging app Wickr opens core crypto protocol to review
Wickr, the San Francisco-based company that’s behind the secure ephemeral messaging app of the same name, has published the core crypto protocol powering both the personal and the business versions of the app.
The personal version dates back to 2012, and Wickr Professional – the business collaboration and communication version of the app – was released in December 2016.
It is possible and likely that the company’s inroad into the business market is one of the reason for the public release of the crypto code. The aimed-for user base – businesses that want to have secure communication software – might have a problem trusting an app whose source code can’t be audited by them or independent third parties they contact.
Wickr CEO Joel Wallenstrom says that “the Electronic Frontier Foundation has been one of the key voices to inspire Wickr and many others in the industry to find a balance in engineering the privacy technology.”
In the (currently outdated) Secure Messaging Scorecard released in early 2015, the EFF has pointed out two failings of the Wickr offering: the code is not open to independent review, and the security design is not properly documented.
According to the licence under which the code was released, developers, cryptographers, and academics can analyze, audit, evaluate, review, and test it, but no-one can re-use it and make money off it.
According to The Register, the company does plan to open source the code at a later date, under a GNU license.
“Wickr has actively engaged the security and crypto communities to test and scrutinize our software and design decisions. No Wickr product goes to market without extensive scrutiny by our Advisors and best in the industry 3rd party security teams,” Wallenstrom pointed out. Now is the time for potential customers to do the same.
Finally, he also announced that well-known cryptographer Joel Alwen is joining the Wickr core research and engineering team.